Bettercrypto - Applied Crypto Hardening forSysadmins
Attacks
Aaron [email protected]
BetterCrypto.org
Hack.lu - 21/10/2014
Internet Dark Ages
I SSLv1 engineered at Netscape, never released to the publicI Kipp Hickman of Netscape introduces SSLv2 as an IETF draft
back in 1995:
The SSL Protocol is designed to provide privacybetween two communicating applications (a clientand a server). Second, the protocol is designedto authenticate the server, and optionally theclient. [...]
http://tools.ietf.org/html/draft-hickman-netscape-ssl-00
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 1/36
Internet Dark Ages
I SSLv2 was fundamentally broken and badly designed.Basically full loss of Confidentiallity and integrity of on-wiredata thus susceptible to MITM attacks, see:http://osvdb.org/56387
I CipherSpec is sent in the clearI Size of Block-cipher padding is sent in the clear
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 2/36
Internet Dark Ages
I SSLv3 was introduced in 1996 by Paul Kocher, Phil Karltonand Alan Freier, utilizing an algoritm by Taher ElGamal, aknown cryptographer and Chief Scientist at Netscape at thetime: https://tools.ietf.org/html/rfc6101
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 3/36
Internet Dark Ages
On a side note; back then the choice algorithms was limited andexport ciphers (low security) common as recommended by NSA andmandated by US law. Google: “Bernstein vs. United States”
I encryption algorithms (Confidentiality): NULL,FORTEZZA-CBC (NSA), IDEA-CBC, RC2-CBC-40 (40bitsecurity), RC4-128, DES40-CBC (40bit security), DES-CBC(56bit security), Triple-DES-EDE-CBC
I hash functions (integrity): NULL, MD5 and SHA
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 4/36
Internet Dark Ages
David Wagner and Bruce Schneier publish a paper entitled“Analysis of the SSL 3.0 protocol”:
I Keyexchange algorithm rollbackI Protocol fallback to SSLv2I Protocol leaks known plaintexts - may be used in cryptanalysisI Replay attacks on Anonymous DH (don’t use it anyway!)
https://www.schneier.com/paper-ssl.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 5/36
TLS appears
1999. The SSL protocol is renamed to TLS (version 1) with littleimprovements over SSLv3. The spec. is almost identical.
I Diffie-Hellman, DSS and Triple-DES are now required byimplementors
I most SSLv3 security issues are still present in TLS 1.0(RFC2246)
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 6/36
TLS gets padding attacks
2002. Vaudenay publishes a paper entitled “Security Flaws Inducedby CBC Padding Applications to SSL, IPSEC, WTLS...”
I Side-channel attack on CBC mode paddingI valid/invalid padding causes different reactionsI can be used to influence decryption operationsI introduces “padding oracle attacks” in SSL
http://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 7/36
TLS gets extended
2003. TLS extensions get specified in RFC3546.I General: Extended Handshake, ClientHello and ServerHelloI Server Name Indication (SNI) for virtual hosting
(SNI leaks metadata!)I Certificate Status Request (CSR) support via OCSPI (...)
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 8/36
TLS gets timing attacks
2003. Brumley and Boneh publish a paper entitled “Remote timingattacks are practical”.
Timing attack on RSA in SSL/TLS implementations (OpenSSL):I Send specially crafted ClientKeyExchange messageI Mesure time between ClienyKeyExchange and Alert responseI do a bit of statisticsI retrieve Private Key
http://dl.acm.org/citation.cfm?id=1251354
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 9/36
TLS gets padding oracle password retrieval
2003. Canvel, Hiltgen, Vaudenay, Vuagnoux publish “PasswordInterception in a SSL/TLS Channel”.
Extend earlier work of Vaudenay and successfully intercept IMAPpasswords in TLS channels.
http://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 10/36
TLS gets chosen plaintext attacks
2004 & 2006. Bard demonstrates Chosen-Plaintext Attacks againstSSL and TLS1.0
Attack on CBC:I CBC exchanges an Initialization Vector (IV) during HandshakeI these IVs turn out to be predictableI PINs and Passwords can be decryptedI VPNs/Proxies can also be used to accomplish this task
https://eprint.iacr.org/2004/111https://eprint.iacr.org/2006/136
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 11/36
TLS gets updated
2006. A new TLS protocol version is standardized: TLS 1.1I EXPORT ciphers removedI Session resumptionI Protection against the CBC attacks by BardI IANA TLS parameters standardizedI (...)
(RFC4346)
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 12/36
TLS gets modern crypto
2008. A new TLS protocol version is standardized: TLS 1.2I MD5/SHA1 removed as pseudorandom function (PRF)I configurable PRFs in ciphersuites (e.g. SHA256)I Authenticated encryption: CCM, GCMI AES ciphersuitesI (...)
(RFC5246)
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 13/36
Rouge CA Certificates
2008. Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik and deWeger present a paper based on earlier work by Lenstra et al. at25c3 entitled “MD5 considered harmful today”
I MD5 Hash-collision of a CA CertificateI Create colliding (rouge) CA CertificatesI Generate any Certificate for MITM you want
http://www.win.tue.nl/hashclash/rogue-ca/https://www.youtube.com/watch?v=PQcWyDgGUVg
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 14/36
sslstrip
2009. Moxie Marlinspike releases sslstrip at BlackHat DC 2009.I Client connects to serverI Attacker intercepts session via MITMI Attacker sends HTTP 301 (moved permanently)I Attacker forwards requests to/from server via SSL/TLSI Client receives data via unencrypted channelI Attacker reads plaintext
http://www.thoughtcrime.org/software/sslstriphttp://vimeo.com/50018478
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 15/36
Null-prefix attacks against Certificates
2009. Moxie Marlinspike publishes “Null prefix Attacks againstSSL/TLS Certificates”.
I Specially crafted domain strings trick CA checkingI null-terminate stuff in a domain nameI ex.: www.paypal.com\0.thoughtcrime.org is validI ex.: *\0.thoughtcrime.org is validI CA ignores prefixI Client does not -> Certificate valid for prefix
Moxie updated his sslsniff project to carry out this attack.
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdfhttp://thoughtcrime.org/software/sslsniff
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 16/36
SSLv2 Forbidden
2011. IETF publishes and standardized a RFC to prohibitnegotiation and thus compatibility of SSLv2 in TLS1.0-1.2 entirely.
https://tools.ietf.org/html/rfc6176
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 17/36
Comodo
2011. Comodo CA: Attacker issues 9 certificates via reseller accountfor popular domains (google.com, yahoo.com, live.com, skype.com [...])
https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 18/36
BEAST
2011. Doung and Rizzo publish the BEAST attack at ekoparty anddemo a live attack on PayPal. Based on Bards earlier work onpredictable IVs in CBC:
I Phishing gets victim to visit a certain websiteI Script on said website makes request to genuine siteI Attacker records encrypted cookie informationI Tries to guess session-cookie with known CBC attack
Same Origin Policy (SOP) forbids this attack in client software. IfSOP can be bypassed (as shown by the authors with Java’s SOP)this attack is still practical.
http://vnhacker.blogspot.co.at/2011/09/beast.html
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 19/36
Trustwave
2012. Trustwave CA: Trustwave sells subordinate CAs to bigcorporations to be used for Deep Packet Inspection.
A sub-CA can issue and fake any certificate for MITM attacks.
http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.htmlhttp://arstechnica.com/business/2012/02/critics-slam-ssl-authority-for-minting-cert-used-to-impersonate-sites/
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 20/36
DigiNotar
2012. DigiNotar CA: Attackers compromise DigiNotar in it’sentirety.
I attackers generate tons of certificatesI Google Chromes certificate store detects mismatchesI DigiNotar acknowledges breachI DigiNotar files for bankrupcyI FOX-IT never gets paid for the investigation
https://en.wikipedia.org/wiki/DigiNotarhttp://cryptome.org/0005/diginotar-insec.pdfhttp://nakedsecurity.sophos.com/2011/09/05/operation-black-tulip-fox-its-report-on-the-diginotar-breach
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 21/36
Certificate validation in non-browser software
2012. Georgiev, Iyengar, Jana, Anubhai, Boneh and Shmatikovpublish a paper entitled “The most dangerous code in the world:validating SSL certificates in non-browser software”
Certificate validation vulnerabilities in:I OpenSSLI GnuTLSI JSSEI EC2 Java libraries & Amazon SDKsI PayPal SDKsI eCommerce/WebShop softwareI ..cURL, PHP, Python, tons of Java middleware
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 22/36
CRIME
2012. Doung and Rizzo publish an attack against TLS Compressionand SPDY titled CRIME.
I MITM attacker sees length of compressed ciphertextI compression has direct affect on the lengthI attacker makes client compress/encrypt data (or uses known
data) with secret dataI attacker comparesI correct guesses yield shorter messages due to compressionI repeat until done
This is only feasible for small amounts of data, e.g. session strings,cookies and so forth.https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 23/36
TIME
2013. Be’ery and Shulman present TIME at BlackHat Europe.Extend on the CRIME Attack:
I Attacker generates HTTP requests (XSS, injection,..)I Attacker exploits SOP design flaw and measures RTT
differencesI determines correct or failed guesses by SOP timing leak
https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdfhttps://www.youtube.com/watch?v=rTIpFfTp3-w
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 24/36
Lucky13
2013. AlFardan and Paterson present a novel attack against CBCfor TLS and DTLS based on timing analysis.
I Attacker intercepts and modifies a message including paddingI Attacker tempers with the padding of the messageI MAC computation takes longer during decryption processI Attacker repeats and measuresI Attacker performs padding oracle attack described earlierI (Extremely latency sensitive attack)
http://www.isg.rhul.ac.uk/tls/Lucky13.htmlhttp://www.isg.rhul.ac.uk/tls/TLStiming.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 25/36
RC4 Biases
2013. AlFardan, Bernstein, Paterson, Poettering and Schuldtpublish a generic attack on the RC4 cipher for TLS and WPA.
I Statistical biases in the first 257 bytes of ciphertextI Recovery of the first 200 bytes after 228 to 232 encryption
operations of the same plaintextI A broadcast attack: mounted on unique keysI May also be mounted with a single key with repeating target
plaintextsI Only feasible for large amounts of data and very time
consuming
http://www.isg.rhul.ac.uk/tlshttp://www.isg.rhul.ac.uk/tls/RC4biases.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 26/36
NIST curves
2013 & 2014. Daniel J. Bernstein and Tanja Lange voice concernabout the NIST Elliptic Cuves that are widely implemented andused in TLS for ECDH and ECDSA
I NIST curves defined on recommendations by NSA’s JerrySolinas
I Unclear why these curves and their parameters were chosenI NIST cites efficiency: more efficient and secure curves
availableI Possible mathematical backdoor through previous analysis and
carefully chosen and unexplained parametersI Start SafeCurves project (ongoing)
http://www.hyperelliptic.org/tanja/vortraege/20130531.pdfhttp://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdfhttp://safecurves.cr.yp.tohttps://archive.org/details/ShmooCon2014_SafeCurves
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 27/36
BREACH
2013. Gluck, Harris and Prado demonstrate yet another attackbased on CRIME at BlackHat USA.
Very similar to CRIME but the attack works based on informationleaks from HTTP compression instead of TLS compression.
http://breachattack.comhttps://www.youtube.com/watch?v=CoNKarq1IYA
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 28/36
Unused Certificates in Truststores
2014. Perl, Fahl, Smith publish a paper entitled “You Won’t BeNeeding These Any More: On Removing Unused Certificates FromTrust Stores”
I Compared 48 mio. HTTP certificatesI 140 CA Certificates are unused in all major trust storesI Of 426 trusted root certificates only 66% are even used
http://fc14.ifca.ai/papers/fc14_submission_100.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 29/36
Triple Handshakes Considered Harmful
2014. Bhargavan, Delignat-Lavaud, Pironti, Langley and Raypresent an attack one day before the IETF’89 meeting in London.
I Limited to client-certificate authentication with renegotiationI MITM attack on renegotiation with a three-way handshakeI Variations of the attack also discussed on their websiteI Can’t possibly fit this into one slide, homework: understand the
attack by reading their excellent description on the website
https://secure-resumption.comhttps://secure-resumption.com/IETF-triple-handshakes.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 30/36
Frankencerts
2014. Brubaker, Jana, Ray, Khurshid and Shmatikovy publish apaper entitled “Using Frankencerts for Automated AdversarialTesting of Certificate Validation in SSL/TLS Implementations”
I Fuzzing of X.509 related code in all major implementationsshows serious weaknesses in certificate validation and handling
I OpenSSL, NSS, GnuTLS, MatrixSSL, PolarSSL, CyaSSL,cyptlib [...]
https://www.cs.utexas.edu/~shmat/shmat_oak14.pdfhttps://github.com/sumanj/frankencert
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 31/36
Heartbleed
2014. Heartbleed is independently discovered by Codenomicon anda Google Security engineer.
Faulty implementation in OpenSSL of the TLS Heartbleedextension leaks memory content over the wire. This has been allover the media and discussed in detail all over the internet. Peoplehave successfully extracted sensitive information (password files etcetera) from victim memory.
I wrote an nmap plugin to scan for Heartbleed:https://github.com/azet/nmap-heartbleed
http://heartbleed.com
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 32/36
Virtual Host Confusion
2014. At BlackHat Delignat-Lavaud presents an attack based onSSLv3 downgrade and sharing of session caches
I Attacker forces downgrade to SSLv3I For SSLv3: larger deployments share session cachesI attacker exploits a server vulnerability where session caches
are reusedI attacker requests different subdomain with SSLv3 using the
same sessionI vulnerable server will allow connection w/o authenticationI www.company.com vs git.company.com
https://bh.ht.vc
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 33/36
POODLE
2014. POODLE: Padding Oracle On Downgraded LegacyEncryption - OpenSSL/Google
I MITM attacker downgrades to SSLv3 (once again)I attacker does block duplicationI takes on average 256 requests to decrypt 1 byte (!)I disabling SSLv3 or using the FALLBACK_SCSV TLS
extension (draft) mitigates this issue entirelyhttps://www.openssl.org/~bodo/ssl-poodle.pdf
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 34/36
Implementation Issues
There are tons of other issues with TLS stacks and softwareimplementations that have not been discussed.
OpenSSL alone published 24 security advisories in 2014 untiltoday.
I Apple’s GOTO failI GnuTLS GOTO failI various GnuTLS vulnerabilitiesI wrong use of OpenSSL API in server and client software
...Clearly; a lot of people current have their eyes on this very topic.
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 35/36
Implementation Issues
For this crowd: It’s up to you to find them and improve existingimplementations, protocols and standards.
Hack.lu - 21/10/2014 Bettercrypto - Applied Crypto Hardening for SysadminsAaron Zauner 36/36